Nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" is not working

General Discussions
1

Hi everyone,

I have a problem.

I would like to create kubernetess ingress with the same behaviour as nginx:
ssl on;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.nopass.key;
ssl_client_certificate /certs/ca.crt;
ssl_verify_client on;

I use annotations:
kubernetes.io/ingress.allow-http: “false”
# Enable client certificate authentication
nginx.ingress.kubernetes .io/auth-tls-verify-client: “on”
# Create the secret containing the trusted ca certificates
nginx.ingress.kubernetes .io/auth-tls-secret: “default/ca-secret”
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes .io/auth-tls-verify-depth: “1”
# Specify an error page to be redirected to verification errors
nginx.ingress.kubernetes .io/auth-tls-error-page: “https://www.google.com
# Specify if certificates are passed to upstream server
nginx.ingress.kubernetes .io/auth-tls-pass-certificate-to-upstream: “true”

But, I can pass ingress with wrong client cert. I do not have the same behaviour as nginx provides.
Am I wrog anywhere or there is a bug on kubernetes side?

3

Moreover, I see that one guy has the same issue: google kubernetes engine - GKE Nginx Ingress - Setting host causes 400 No required SSL certificate - Stack Overflow

4

Seems the answer is here: HTTPS consistangly gives Fake Kubernetes Certificate · Issue #1984 · kubernetes/ingress-nginx · GitHub - we cannot use ip, only domain name… otherwise " you will be directed to the default server",- aledbf commented on 25 Jan 2018

5

But Nginx can do that…

6

Guys I just added --no-check-certificate

wget --private-key ca.key --certificate ca.crt http://34.134.253.193/ --no-check-certificate

and all became working as expected:

  1. correct answer on correct certs.
  2. error redirect on any other certs .
7

My current ingress nginx back-end:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.46.0/deploy/static/provider/cloud/deploy.yaml

I generate certs using these commands:
openssl req -new -newkey rsa:2048 -nodes -keyout ca.key -x509 -days 500 -subj /C=UA/ST=Kyiv/L=Kyiv/O=SomeOrg/OU=Nick/CN=34.134.253.193/emailAddress=murha .for .articles@gmail. com -out ca.crt
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
openssl rsa -in server.key -out server.nopass.key

My secret generation command is:
kubectl create secret generic ca-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.nopass.key --from-file=ca.crt=ca.crt

And my current ingress yaml annotations are:
kubernetes .io/ingress.class: “nginx”
nginx. ingress. kubernetes. io/rewrite-target: /$1
# Enable client certificate authentication
nginx. ingress.kubernetes.io/auth-tls-verify-client: “on”
# Create the secret containing the trusted ca certificates
nginx. ingress. kubernetes .io/auth-tls-secret: “default/ca-secret”
# Specify the verification depth in the client certificates chain
nginx. ingress.kubernetes.io/auth-tls-verify-depth: “3”
# Specify an error page to be redirected to verification errors
nginx. ingress. kubernetes .io/auth-tls-error-page: “https://www.google.com
nginx. ingress .kubernetes .io/auth-tls-pass-certificate-to-upstream: “true”
nginx. ingress. kubernetes .io/force-ssl-redirect: “true”

I appreciate your review, because I have to show these configs to client.